11 matches found
CVE-2026-45783
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUTVALUE messages whose keys bypass all content validation. N...
EUVD-2026-36153
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUTVALUE messages whose keys bypass all content validation. N...
CVE-2026-45783 libp2p: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUTVALUE messages whose keys bypass all content validation. N...
@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
Summary An unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUTVALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted ke...
Improper Validation of Syntactic Correctness of Input
Overview @libp2p/kad-dht is a JavaScript implementation of the Kad-DHT for libp2p Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the verifyRecord function that leads to the unlimited message processing since rate limits are applied onl...
8004skill (>=1.1.0 <=2.0.0), @a3stack/identity (=0.2.0) +279 more potentially affected by CVE-2026-45783 via @libp2p/kad-dht (>=10.0.15 <=16.2.6-9eb27be79)
@libp2p/kad-dht NPM version =10.0.15, =1.1.0, =1.0.0, =1.0.0, =1.0.1, =1.3.0, =0.0.2, =1.1.3, =0.2.0, =0.0.0-test.0, =0.0.0-test.0, =0.7.2, =0.0.0-test.0, =4.0.0-nightly.20250907 and more Source cves: CVE-2026-45783 Source advisory: OSV:GHSA-32MQ-HPPH-XFVR...
GHSA-32MQ-HPPH-XFVR @libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
Summary An unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUTVALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted ke...
PT-2026-42028
Name of the Vulnerable Software and Affected Versions libp2p versions prior to 16.2.6 Description An unauthenticated remote peer can cause disk storage exhaustion on any @libp2p/kad-dht node operating in server mode. This occurs when an attacker sends an unbounded stream of PUT VALUE messages usi...
GHSA-MQR9-HJR8-2M9W Content Censorship in the InterPlanetary File System (IPFS) via Kademlia DHT abuse
The Kademlia DHT go-libp2p-kad-dht 0.20.0 and earlier used in IPFS 0.18.1 and earlier assigns routing information for content i.e., information about who holds the content to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an attacker to censor content...
go-libp2p-kad-dht 安全漏洞
go-libp2p-kad-dht is a distributed hash table algorithm in the libp2p open source. A security vulnerability exists in go-libp2p-kad-dht version 0.20.0 and earlier, which stems from a vulnerability that allows an attacker to hijack the content parsing process by generating a number of Sybil peers...
CVE-2023-26248
The Kademlia DHT go-libp2p-kad-dht 0.20.0 and earlier used in IPFS 0.18.1 and earlier assigns routing information for content i.e., information about who holds the content to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an attacker to censor content...